The present invention relates to the technical field of computers and computing systems, and more specifically, to the identification and handling of open-source and other software components retrieved from a cloud computing environment or similar remote source which components, by virtue of their functionality and/or content, require particular modes for handling.
As will be well understood, the creation of bespoke software can be a lengthy and costly process. In recent years, there has been an increasing trend for software developers to make use of existing services and software solutions for specific tasks, with a common source for such services and solutions being the Internet or via other users on a shared network. Such sources are generally referred to as a cloud computing environment.
One common form of software available from cloud computing sources is so-called open-source software which tends to have few if any restrictions on use and modification for the private user. Open-source software can have drawbacks for the user wishing to incorporate a solution in a commercial product as open-source license terms (as in the well-known GPL for example) typically require that source code be made freely available for potential future developers—something that commercial product providers will be reluctant to do.
A user obtaining access to services in a cloud computing environment may have no idea whether the service uses software from various open-source projects, or has other characteristics that render it unsuitable for use or incorporation. Conversely a supplier of software services to be used in a cloud computing environment is much less likely to have knowledge of how those services will be used and therefore which parts of the code will be executed. Typically a provider of services (software utilities) to a cloud environment would decontaminate their software by manually scanning the source for keywords and would then either obtain legal clearance to ship their cloud products with the open-source still in, or remove the open-source.
Many software companies will use proprietary tools to assist the decontamination process, or will have customised in-house developed tools. An example of the latter is the CSAR (Code Scan, Analysis and Reporting) tool used by the present applicants. CSAR provides a static code analysis that is run, during the development phase of a software creation project, against the entire source code and searches for keywords and markers that might indicate the presence of open-source code that would need special review and clearance procedures. The decontamination process is manual and subject to error as the software stack can be large and complex to scan methodically. In addition, much time and resources may be “wasted” by scanning and decontaminating code that is never invoked.